07: Using Least Privilege Manager

Use your own MDM solution to deploy rules which enable Standard Users to do things that only admins can. See three “base hit” examples here.

PolicyPak MDM: Using Least Privilege Manager

Hi, this is Whitney with PolicyPak Software. In this video, we’re going to learn how to elevate applications to run as an admin even if your user is just a standard user. We’re going to do this using PolicyPak’s Least Privilege Manager component. Then we’re going to export those settings, wrap them up in an MSI, and then deploy them using an MDM service. We’ll be using AirWatch today, but you can use any of them. You can use MobileIron or Intune or whichever you have.

To start off with, let’s look at my endpoint here. Note that I am not domain joined. You can be in this particular instance, but you don’t have to be. I am currently not domain joined. I am enrolled in an MDM service. You can see I’m “Connected to AirWatchMDM.”

Most importantly, I think, the “PolicyPak Client-Side Extension” and the “PolicyPak MDM Licenses for PolicyPak” have already been deployed from AirWatch to me. We already uploaded those, deployed them to this machine, and these are the things that need to be installed on your endpoints in order to make the PolicyPak directives work.

Now let’s go look at the problem that we have. As a standard user, I can run “CamPlay” just fine. I can open up “NotepadP,” and that’s no problem. But if I wanted to use, say, Process Monitor (“Procmon”), I’m going to get whacked with a UAC prompt and asked to give credentials that as a standard user I just don’t have.

If we try to install “iTunes,” we’re going to have that same problem. It will extract for a little bit. Then we’ll click “Next” and we’re going to get hit with that UAC again.

Finally, if I try to get into something like the “Device Manager,” I’m going to get told that “You are logged on as a standard user.” I can look, but don’t touch. Here we go. I can’t do anything with this. I can just see it.

We’re going to fix that with the PolicyPak Least Privilege Manager. Now let’s go over to my management station. This is a DC that I have connected to what is actually a fake domain. We recommend that you use a DC so that you can leverage everything that Group Policy has to offer, but it doesn’t have to be a real one. It can be a virtual machine just like the one I’m using now.

I’ve actually already created a GPO here. I called it “LPM MDM Demo.” We can actually put these directives on the user side or the computer side. I’m just going to pick the computer side today. I’m going to go choose “Least Privilege Manager.”

I’m going to start with “ADD NEW COLLECTION” because we’re going to end up exporting these policies to then get wrapped up in that MSI, and I’d rather export just a single collection rather than a bunch of policies. So let’s create that “Collection 1.”

We’re going to start with “ADD NEW EXE POLICY” to allow Process Monitor to run elevated, so I’m going to choose that. We’re going to start with “Use simple rule.” We can choose any of these file “Conditions” – “Path,” “Hash,” “Signature” or “File Info.” I’m going to go with “Hash” though. It’s basically the fingerprint of the file. I’m going to click “Next.”

I’m going to “Select reference file.” Let me go grab my Process Monitor reference file here (“Procmon”). We’ll click “Next.” We’re going to “Run with elevated privileges” because we want to bypass that UAC. We’ll call it “Let ProcMon Run” and “Finish” up.

The iTunes installer is actually also an executable, so we’ll go ahead and “ADD NEW EXE POLICY” again. I’ll click through this pretty quickly. We’ll do that same “Hash.” I’ll “Select reference file.” This one is actually in my “SHARE” folder here, so let’s go grab that. There we go. Click “Next.” Again, we’re going to “Run with elevated privileges” because we want it to install as an admin. So we’ll “Let Itunes Install” and “Finish” up there.

Finally, we’re going to let us get into the Device Manager as an admin, but that’s a little bit different. We going to use “ADD NEW CPL POLICY” and click “Next.” This time, we just need to choose which particular CPL policy we want to use, so in this case “Device Manager.” We’ll “Run with elevated privileges” once again. It’s kind of a theme. We’ll “Let DM Run” and “Finish” up.

Now we’ve put these directives in place, but we need to be able to get them into an MSI so that we can then deploy them using our MDM solution. Let’s go over to “Collection 1.” I’m going to right click and choose “Export Collection as XML.” I’m going to just throw this right on the “Desktop,” and I’m going to call it “LPM Demo.” If we move this, we should see it right there.

All right, now we’ve created our directive. We’ve exported as an XML. Now what? Well, when you installed the PolicyPak admin console MSI, it actually installed a couple of other things as well, one of which is the “PolicyPak Exporter Tool.” This is what we’re going to use to create our MSI.

This tool actually does several other things, but we’re going to start with just “Create a new MSI installer.” We’ll click “Next,” and we’re going to “Add Existing Files.” We’re going to use that “LPM Demo” XML we just created. We’re going to “Install For” “Computer” with a “Target” of “All Users,” and we’re going to click “Next.”

We can name this whatever we want. I’m just going to put the Least Privilege Manager initials “LPM” right there. It’s going to ask us where want to save it as soon as we click “Next.” We’ll just do right on the Desktop. We’ll just call it “LPM MDM Directives.” There we go. It has been done, and it popped up right there.

Now we’re going to need to upload that to our MDM solution, whichever that happens to be. Like I said, we’re using AirWatch today, but you can use Intune, MobileIron, whatever you have. Let’s go up here. We’re going to “Add Application.”

Now for the sake of the video, I’m going to just pause it here. I’ll get it uploaded and deployed to my machine, and then I’ll show you what happens when we come back to my endpoint and the magic has been done. We’ll be right back.

We are back. Just by way of example, let me go ahead and point out right here we now have “LPM PolicyPak Settings” installed just as we expected. As such, now we can get into Process Monitor (“Procmon”) without a UAC, just like we told it to.

If I try to install “iTunes,” I can double click it. It will get right there. We click “Next” and there we go. We can go ahead and “Install” it.

While that’s happening, let’s go ahead and look at the “Device Manager.” If we go look up there, it pops right up without any prompt telling you, “You can look, but you can’t touch.” Now you can do both.

With the magic of PolicyPak Least Privilege Manager and our MSI creator, then we can deploy those using any MDM solution you have on hand. If that’s interesting to you, let us know and we’ll get you started right away.


  • 623
  • 11-Nov-2019